Uncategorized

The CyberArk Red Team is a highly qualified group of industry veterans who are trained to use “any means necessary” – just as an attacker would – to help security operations teams identify and measure which threats they can detect – and which ones they cannot.

In a recent post, we asked Shay Nahari, our Head of Red Team Services, about the process and goals of simulated attacks. In this exchange, we ask additional questions about an attack simulation and his team’s approach. Here are some highlights of our conversation:

Q: How do organizations test internal and external systems, so that the exercise successfully mimics real attacks?

A: If you examine real-world breaches, you can see that adversaries are always thinking – and operating – in terms of goals, such as stealing intellectual property or financial records. With traditional penetration testing, you would have someone scan to pinpoint specific vulnerabilities, such an unpatched windows system, on the network. While this is certainly an important vulnerability to know about, advanced attackers simply don’t think like this. They are goal-driven and will try multiple times until they get into the network and on to the path that will lead them to the crown jewels. This is done by hunting for privileges that will allow them to move around on the network. Make no mistake – attackers will get in. Operating under the assumption that you’ve already been breached is the first step in improving your organization’s security posture.

Q: During Red Team adversarial simulation testing, are you asked to breach the perimeter or do begin the exercise on the inside?

A: While we’ve done both forms of testing, we preach to “assume breach,” so we most often start from within the network, on a VM or an internal user’s laptop, for example. There is always a way to get into the network either through exploiting an external facing device or through social engineering.

Q: In your attack simulation, you created a connection back to a C2 server to carry out the initial breach. What are some of the ways to gain network access?

A: We work to gain access in a variety of ways, such as deploying malicious codes in enterprise applications or abusing inherent trust both externally and internally to gain a foothold. Examples include phishing with an HTA file, link or macro embedded document to multiple people within the organization. All of these methods will lead to in-memory execution of our payloads. Once we’ve infiltrated the network, we’ll abuse trust, like credentials, misconfiguration or software vulnerability to escalate privileges locally. Attackers are lazy – they will usually choose the path of least resistance. Humans are always the easiest option to exploit.

Q: So, attackers will try to steal credentials from a compromised machine?

A: There are multiple credential locations within Windows – some of them are within windows credentials managers, user history, applications and even Outlook. Microsoft has done a lot of work to harden these locations (particularly from v8.1 on), but attackers continue to innovate, and they have found ways to circumvent these protections. If there is a privileged credential on a machine, it’s almost impossible to stop an attacker from stealing it and using it to help achieve his/her goal. That’s why it’s so important to ensure workstations don’t contain privileged accounts within the network.

(Editor’s note: CyberArk Endpoint Privilege Manager helps organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privileged security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts. These critical protection technologies are deployed as a single agent to strengthen existing endpoint security. It also enables security teams to enforce granular least privilege policies for IT administrators, helping organizations to effectively segregate duties on Windows servers.)

Q: Is there a difference between an external or internal attack?

A: The concept of inside vs. outside is obsolete. We view internal resources as hostile territory. Organizations need to treat their internal network in the same way they treat their external network. Just like you would not put an RDP connection outside, connected to the internet with a weak password, you should not do it internally. At the end of the day, a compromised workstation or malicious insider will lead to the same result.

Q: What is the biggest deterrent to you being able to move laterally throughout a network?

A: This is relevant to almost every threat actor out there – from script kiddies to nation states and everything in between: Lateral movement occurs after an attacker finds a user’s privileged accounts and begins impersonating that user by using those privileged accounts. In almost all of our engagements, we end up searching and querying Active Directory to figure out who is logging in and from where, in our hunt for privileges. As an attacker, if I cannot access your privileged accounts (passwords, SSH keys, tokens, etc.), my job becomes infinitely harder to do.

Interested in learning more about what our Red Team’s research? Check out our Threat Research blog, which features in-depth technical research from CyberArk Labs and Red Team security experts to help you think like an attacker by keeping you ahead of the latest threats.

Last week we had a chance to sit down with Congressman Kennedy to discuss a number of things, including the state of cybersecurity. It was a great afternoon and excited to hear his views on how the security industry can work with government to help stem the issues we all face.

Key takeaways for us were that the US government truly is starting to understand the massive issues IT face in defending critical infrastructure, sensitive IP, state secrets and many other issues impacting the economy.

Snowden really opened eyes on The Hill, reinforced by the spate of high-profile breaches of late:

The U.S. Department of Homeland Security report on the successful attack on a U.S. utility through password brute-forcing attack is extremely alarming because of the simplicity of the attack.

The arrest of Navy systems administrator Nicholas Knight as the alleged ring leader of an antigovernment hacking group is a stark reminder that the breaches by Edward Snowden were not an isolated incident.

Hackers apparently ased in Iran have mounted a three-year campaign of cyber-espionage against high-ranking U.S. and international officials, including a four-star admiral, to gather intelligence on economic sanctions, antinuclear proliferation efforts and other issues, according to cybersecurity investigators.

We all can play a role to help swing the balance of security in favor of the good guys, starting with participation in debates, helping educate those working on key government committees and working together as an industry to share information.

ESG’s Jon Oltsik has a great post on Network World this week about enterprise security monitoring. Large enterprises, he points out, need help in monitoring user behavior as well as endpoints, and sensitive data.

Well put, however, I would take this a few steps further.

First, not all users are equal. Users with privileged access can do a lot more damage than average users. Given the power of administrative credentials like “root” access, these users can look at, touch and manipulate any data, anywhere it might rest. With these incredibly powerful credentials, a user can actually bypass security controls and turn off audit and monitoring systems – effectively breaching defenses without anyone ever knowing it. Need examples? There’s Navy systems administrator Nicholas Knight, for one, not to mention Edward Snowden.

Second, it’s not just malicious insiders companies need to worry about. External attackers have grasped the power of privileged user credentials for many years, and in every significant attack over the past few years, privileged account compromise played a critical role in the attack. The eBay breach is a classic example. The very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning. Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach. You can read more about this in a CyberSheath white paper here.

After the initial network breach, attackers go about the process of escalating their privileges so they can move laterally throughout the network.

In our previous posts, we highlighted parts one and two of a conversation on privileged account security with IDC analysts Charles Kolodgy and Sally Hudson. Here is the third and final part of that conversation.

This post includes a discussion around best practices when dealing with advanced threats. Below are IDC’s recommendations. You can see CyberArk’s best practices guide by maturity level here.

CyberArk: What recommendations do you have for companies beginning to look at protecting privileged accounts? What are some best practices to maximize protection while minimizing burden to the business?

IDC: The first step towards protection is to manage all privileged credentials, whether associated with users, applications, or network devices. One key capability to deter attacks is to offer rotating credentials. Another is to monitor and analyze log data to provide real-time information on potential threats. This actionable information can provide response teams with the intelligence needed to disrupt an attack and accelerate remediation. This intelligence data also provides a rich data set for auditors. Monitoring and analytics is a natural extension of a privileged account security solution and a clear differentiator for the vendors who include it. We recommend a number of best practices including working with a vendor that has deep experience in the area of privileged account security versus a broad-based identity management provider that does not provide deep functionality in this area. Companies should also look for vendors with a comprehensive solution that can scale and expand as security needs change and evaluate the solution’s ease of use.

Privileged account security is a critical component of any security profile. If an organization is not monitoring and analyzing the activity of all privileged accounts, then they are leaving the door open for a targeted, damaging attack. A correctly deployed privileged account security solution provides compelling ROI for an organization by easing the burden on the IT security team and providing them with a single platform from which to manage user activity.

In our previous post, we highlighted part of a conversation on privileged account security with IDC analysts Charles Kolodgy and Sally Hudson. Here is part two of that conversation.

CyberArk: What is privileged account security and why is it important?

IDC: Privileged account security solutions proactively secure and manage privileged credentials, monitor privileged account activity, and detect malicious privileged user behavior. These solutions provide the granularity needed to name the individual user, thus taking away the anonymity of shared accounts and providing individual accountability. Password or credential vaults, credential management and access approval workflows, session monitoring and recording, and behavioral analytics are all components of these types of solutions. Privileged account security is a critical component of a layered defense strategy because privileged accounts provide such broad access to critical data, servers, and virtually every component of IT infrastructure.

What technologies are available to help companies identify and stop attacks targeted at privileged credentials after they have breached the perimeter?

Existing enterprise security solutions such as network security tools, antivirus, and vulnerability assessments provide layers of defense. However, these tools have proven to be ineffective against determined external attackers and threats from users already inside the perimeter. To ensure that attackers are unable to exploit privileged accounts, take control of critical IT resources, and steal confidential information, these accounts must have proactive protection and be monitored on a continuous basis.

New tools focused on analyzing privileged account behavior in real-time are becoming available, allowing the organization to identify abnormal use of privileged accounts. The goal is to provide alerts on deviations from expected user behaviors that may indicate malicious activity. For example, if administrator “X” always works between the hours of 8:30 and 5:30, a flurry of activity using his or her privileged credential at 1:00AM may be a strong attack indicator. Privileged account security solutions isolate individual user logon activity. Advanced analytics can identify unusual activity by a single user, rather than the entire shared account thereby detecting a threat in progress. In addition to segmenting individual users, the solution should correlate data across all users and systems that provide additional immediate and actionable insight for identifying an in-progress attack. This ability to alert on unusual privileged account user behavior can substantially increase overall IT security within an organization, while simplifying a critical component of security monitoring and remediation.

How is threat analysis centered on privileged account data differentiated from other threat analysis and what are some of the advantages?

Security monitoring solutions generate a great deal of data that can be normalized and processed to get an understanding of what is going on within the enterprise. Much of that information can be used to find indications of a breach. For this reason, organizations use log management and SIEM to comb through data for attack indicators. SIEM systems have their value but can be overwhelmed by the sheer amount of data that needs to be processed and the number of alerts that operators must triage and respond to. By concentrating analytics directly at anomalous events related to privileged user behavior or correlating privileged-based alerts with other indicators, it is possible to quickly determine which alerts indicate a true threat as opposed to false positives.

As part of the privileged account security system, an analytics engine provides a targeted view on individual user or application behavior in context within the environment. The data is analyzed at the user-level, not the shared account level. This provides the granularity required to detect anomalies. Adding to the effectiveness of analytics, the solution analyzes data in real-time, empowering incident response teams to act quickly to disrupt in-progress attacks. These solutions can be integrated into an organization’s existing SIEM system to improve the SIEM’s overall effectiveness.